CVE-2026-40177
Received Received - Intake
Two-Factor Authentication Bypass in Ajenti.plugin.core Before

Publication date: 2026-04-10

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible to bypass the password authentication This vulnerability is fixed in 0.112.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40177
EUVD
EUVD-2026-21575
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ajenti ajenti_plugin_core to 0.112 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability affects ajenti.plugin.core versions prior to 0.112 and allows bypassing password authentication even when 2FA is enabled.

To detect if your system is vulnerable, you should first check the installed version of ajenti.plugin.core.

  • Run a command to check the installed version, for example: pip show ajenti.plugin.core
  • Alternatively, you can list all installed packages and filter for ajenti.plugin.core: pip list | grep ajenti.plugin.core

If the version is earlier than 0.112, your system is vulnerable to this password bypass issue.

There are no specific network detection commands or signatures provided in the available resources.

The recommended mitigation is to upgrade ajenti.plugin.core to version 0.112 or later.

Executive Summary

CVE-2026-40177 is a high-severity vulnerability in the ajenti.plugin.core package affecting versions prior to 0.112.

The vulnerability allows an attacker to bypass password authentication even when two-factor authentication (2FA) is activated.

This means that the intended security provided by 2FA is compromised, enabling unauthorized access without proper password verification.

The issue was fixed in version 0.112 of the package.

Impact Analysis

This vulnerability can have a significant impact by allowing attackers to gain unauthorized access to systems using ajenti.plugin.core versions prior to 0.112.

Since the password authentication can be bypassed even when 2FA is enabled, attackers can circumvent this additional security layer, increasing the risk of data breaches or unauthorized control.

Such unauthorized access could lead to compromise of sensitive information, disruption of services, or further exploitation within the affected environment.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the ajenti.plugin.core package to version 0.112 or later.

This update fixes the password authentication bypass issue when two-factor authentication (2FA) is activated.

Applying this patch will restore the intended security controls and prevent unauthorized access.

Compliance Impact

This vulnerability allows an attacker to bypass password authentication even when two-factor authentication (2FA) is activated, enabling unauthorized access without proper password verification.

Such unauthorized access can lead to violations of security requirements mandated by common standards and regulations like GDPR and HIPAA, which require strong authentication controls to protect sensitive data.

Therefore, if exploited, this vulnerability could compromise compliance with these regulations by undermining the effectiveness of authentication mechanisms designed to safeguard personal and health information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40177. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart